[Samba] users map with ADS not working

Nitin Thakur Wed, 10 Oct 2012 20:15:19 -0700

Hi All

I am running two instances of samba on same box. One instance of samba has 
joined AD domain ABC and the other 123. My workstation is on ABC domain and 
when I try to connect to samba server on ABC domain, it asks me for user name 
and password and then fails. If I put IP address instead it works. At the same 
time, when I try to connect to 123 domain, it asks me for user name and 
password and authenticates me without any problem. I set the debug level to 9 
on both the instances. I am not running winbind - please dont ask me why. The 
strange problem is when a user who has same unix and windows account in ABC 
domain, when he tries to log into the samba server which is on ABC domain, it 
works with hostname where as folks who has different accounts on windows and 
unix, it dosent work for them with hostname but with IP.


The Global section of both the instances is similar, here is the global section 
of samba server which is binding to ABC domain: -

#======================= Global Settings =====================================
[global]

socket options = TCP_NODELAY IPTOS_LOWDELAY
netbios name = TST-SMB-DEV
workgroup = ABC
server string = tst-smb-dev Server ver %v
security = ADS
log file = /opt/local/samba-3.6.7/dev/logs/log.%m
max log size = 50
password server =  AD1.ABC.com AD2.ABC.com
encrypt passwords = yes
realm = ABC.COM
local master = no
domain master = no
domain logons = no
dns proxy = no
smb passwd file = /opt/local/samba-3.6.7/dev/private
private dir = /opt/local/samba-3.6.7/dev/private
username map = /opt/local/samba-3.6.7/dev/users.map
pid directory = /opt/local/samba-3.6.7/dev
bind interfaces only = yes
wins support = no
domain master = no
locking = yes
lock directory = /opt/local/samba-3.6.7/dev/var/locks
preserve case = yes
short preserve case = yes
load printers = no
printcap name = /dev/null
deadtime = 15
preferred master = no
guest account = nobody
guest ok = no
syslog = 0
interfaces = 10.20.20.3
socket address = 10.20.20.3
kerberos method = system keytab
log level = 9
----------------------------------------------------------------------------------------------------------------------------

Here are the logs when user whose mapping is defined in users.map tries to log 
into samba instance which is binding to ABC domain

[2012/10/10 15:07:11.896408,  3] libads/authdata.c:332(decode_pac_data)
  Found account name from PAC: foo [Foo Bar]
[2012/10/10 15:07:11.896530,  3] 
auth/user_krb5.c:50(get_user_from_kerberos_info)
  Kerberos ticket principal name is [f...@abc.com]
[2012/10/10 15:07:11.896611,  4] auth/user_util.c:361(map_username)
  Scanning username map /opt/local/samba-3.6.7/dev/users.map
[2012/10/10 15:07:11.896665,  3] auth/user_util.c:402(map_username)
  Mapped user ABC\foo to bar
[2012/10/10 15:07:11.896725,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user bar
[2012/10/10 15:07:11.896758,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is bar
[2012/10/10 15:07:11.897025,  5] lib/username.c:149(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [bar]!
[2012/10/10 15:07:11.897418,  6] param/loadparm.c:7490(lp_file_list_changed)
  lp_file_list_changed()
  file /opt/local/Samba/lib/smb.conf.dev -> /opt/local/Samba/lib/smb.conf.dev  
last mod_time: Wed Oct 10 15:06:58 2012

[2012/10/10 15:07:11.897530,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user ABC\foo
[2012/10/10 15:07:11.897562,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is ABC\foo
[2012/10/10 15:07:11.897648,  5] lib/username.c:124(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as given is ABC\foo
[2012/10/10 15:07:11.897725,  5] lib/username.c:134(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is ABC\foo
[2012/10/10 15:07:11.897798,  5] lib/username.c:143(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in ABC\foo
[2012/10/10 15:07:11.897832,  5] lib/username.c:149(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [ABC\foo]!
[2012/10/10 15:07:11.897861,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user foo
[2012/10/10 15:07:11.897896,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is foo
[2012/10/10 15:07:11.897973,  5] lib/username.c:134(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is foo
[2012/10/10 15:07:11.898045,  5] lib/username.c:143(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in foo
[2012/10/10 15:07:11.898077,  5] lib/username.c:149(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [foo]!
[2012/10/10 15:07:11.898222,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user foo
[2012/10/10 15:07:11.898256,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is foo
[2012/10/10 15:07:11.898332,  5] lib/username.c:134(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is foo
[2012/10/10 15:07:11.898403,  5] lib/username.c:143(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in foo
[2012/10/10 15:07:11.898441,  5] lib/username.c:149(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [foo]!
[2012/10/10 15:07:11.898471,  3] auth/auth_util.c:1121(check_account)
  Failed to find authenticated user ABC\foo via getpwnam(), denying access.
[2012/10/10 15:07:11.898502,  1] auth/user_krb5.c:211(make_server_info_krb5)
  make_server_info_info3 failed: NT_STATUS_NO_SUCH_USER!

--------------------------------------------------------------------------------------------------------------------------------------------

here is my users.map

foo = ABC\bar


on the other instance: -
[global]

socket options = TCP_NODELAY IPTOS_LOWDELAY
netbios name = TST-SMB-UAT
workgroup = 123
server string = tst-smb-uat Samba Server ver %v
security = ADS
#map untrusted to domain = Yes
log file = /opt/local/samba-3.6.7/uat/logs/log.%m
log level = 5
max log size = 50
password server =  AD1.123.com
encrypt passwords = yes
realm = 123.COM
local master = no
domain master = no
domain logons = no
dns proxy = no
smb passwd file = /opt/local/samba-3.6.7/uat/private
private dir = /opt/local/samba-3.6.7/uat/private
username map = /opt/local/samba-3.6.7/uat/users.map
pid directory = /opt/local/samba-3.6.7/uat
bind interfaces only = yes
wins support = no
domain master = no
allow trusted domains = yes
locking = yes
lock directory = /opt/local/samba-3.6.7/uat/var/locks
preserve case = yes
short preserve case = yes
name resolve order = host bcast
load printers = no
printcap name = /dev/null
deadtime = 15
preferred master = no
syslog = 0
interfaces = 10.20.20.4
----------------------------------------------------------------------------------------
and logs are: -

[2012/10/10 16:15:26.386651,  3] 
../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
  string_to_sid: SID foo is not in a valid format
[2012/10/10 16:15:26.386693,  4] smbd/sec_ctx.c:214(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2012/10/10 16:15:26.386725,  4] smbd/uid.c:460(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2012/10/10 16:15:26.386753,  4] smbd/sec_ctx.c:314(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2012/10/10 16:15:26.386781,  5] 
../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2012/10/10 16:15:26.386827,  5] auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2012/10/10 16:15:26.386900,  5] passdb/pdb_tdb.c:562(tdbsam_getsampwnam)
  pdb_getsampwnam (TDB): error fetching database.
   Key: USER_foo
[2012/10/10 16:15:26.386952,  4] smbd/sec_ctx.c:422(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/10/10 16:15:26.386988,  4] smbd/sec_ctx.c:214(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2012/10/10 16:15:26.387019,  4] smbd/uid.c:460(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2012/10/10 16:15:26.387047,  4] smbd/sec_ctx.c:314(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2012/10/10 16:15:26.387074,  5] 
../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2012/10/10 16:15:26.387101,  5] auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2012/10/10 16:15:26.387196,  4] smbd/sec_ctx.c:422(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/10/10 16:15:26.387256,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user foo
[2012/10/10 16:15:26.387287,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is foo
[2012/10/10 16:15:26.387318,  5] lib/username.c:149(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [foo]!
[2012/10/10 16:15:26.387362,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user foo
[2012/10/10 16:15:26.387392,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is foo
[2012/10/10 16:15:26.387423,  5] lib/username.c:149(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [foo]!
[2012/10/10 16:15:26.387467,  3] smbd/service.c:872(make_connection_snum)
-------------------------------------------------------------------------------------------------------------------------------------
and my users.map

foo = bar 123\bar


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

any suggestions?

thanks

Nitin
                                          
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] users map with ADS not working

Reply via email to